ASR Rules block launching Teams meetings from Outlook

New Contributor

After deploying the security baselines which enables the ASR rule 'Block Office communication application from creating child processes' (26190899-1602-49E8-8B27-EB1D0A1CE869) users are no longer able to launch Teams meetings from a calendar entry in Outlook.

 

The following is logged:

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
 For more information please contact your IT administrator.
 	ID: 26190899-1602-49E8-8B27-EB1D0A1CE869
 	Detection time: 2020-08-11T07:03:51.689Z
 	User: CACT\user
 	Path: C:\ProgramData\user\Microsoft\Teams\current\Teams.exe
 	Process Name: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
 	Security intelligence Version: 1.321.1142.0
 	Engine Version: 1.1.17300.4
 	Product Version: 4.18.2007.8

 

Is it possible to create an exception only for the Teams client to launch as it is installed on a per-user basis?

3 Replies

@Tom13984  Which Windows 10-version have you seen this one on? Multiple different versions? Your PC's have W10 E3 as license?

 

Feels odd, I have this ASR-rule in block on multiple computers where this problem have not surfaced. In 124 examples only excel, powerpoint and word has been affected in an example environment and these users/computers have accessed teams-meetings from outlook.

Thanks for your reply. We're running E5 on these devices. It is occurring on multiple machines. They are all 2004.

@Tom13984  No problems. I haven't encountered this issue. I tested the rule and opened a Teams-meeting in Outlook on a Windows 2004 + with E5. Maybe it's related to your office-patch level somehow? Do you run O365 C2R SAC? If I were you I would open a case to Microsoft, this can't be expected behaviour. 

 

Anyway, when you have E5 you can exclude stuff here: https://security.microsoft.com/asr?viewid=exclusions

Exclude.png

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/customize...